Description
This article describes how to find the deleted users and verify them by checking the raw logs on a FortiAuthenticator.
This procedure is especially helpful to identify if a remote user is deleted manually by any FortiAuthenticator admin or it was removed after the respective rule was automatically triggered (after a user was deleted from LDAP) under 'Remote User Sync Rules' settings on FortiAuthenticator.
Scope
FortiAuthenticator
Solution
First scenario:
A remote user was deleted on LDAP. Afterward, a FortiAuthenticator admin manually synchronized the respective rule under 'Remote User Sync Rules'. In this case, the admin's username that performed this action will be visible in the raw logs after expanding the related log details. It means the admin deleted the user from the remote users list or just manually synchronized the related rule.
Second scenario:
A user was deleted from LDAP. Thereafter, a respective rule automatically synchronized on FortiAuthenticator within the configured time in the rule settings and the user was removed from the 'Remote users' list. In this scenario, the 'user' part in the log details would be empty which means that the deleted user was removed by the automatically triggered rule synchronization - none of the FortiAuthenticator admins manually synchronized the rule or deleted the user on FortiAuthenticator.
The logs related to user account deletion can be found based on the log type and can be confirmed while checking the raw log entries. There are log types listed under Logging > Log types.
